Safe Switch

Vulnerability

You may have noticed that this default MAC address learning process does not contain an authentication step. Any host connected to the switch can interrupt the MAC address table records by sending data frames, and the switch cannot verify the authenticity of the frame's source MAC address. In the following example, I introduce three common attacks that work by sending a data frame with a fake source MAC address. You can easily find tools on the Internet to launch this kind of attack. These tools are also available through Linux penetration testing distros, such as Kali Linux [1].

MAC Flooding Attack

Space is limited in the switch's MAC address table. The maximum number of records ranges from several thousand for entry-level models to hundreds of thousands for advance models. What happens if the MAC address table is full? Depending on the coding of the switch's operating system, three possible results are:

1. Old records are removed immediately to free up space for learning new MAC addresses.

2. The switch stops learning new MAC addresses until old records are flushed.

3. The system halts.

Hackers may hope to see results 1 and 2, because the resumption of broadcasts gives the intruder a chance to capture sensitive information.

You can check the maximum capacity of a switch's MAC address table by using the switch's operating system. For Cisco IOS, use the following command to check the MAC address table's available space:

SW#show mac address-table count
Mac Entries for Vlan 1:
---------------------------
Dynamic Address Count  : 3
Static  Address Count  : 0
Total Mac Addresses    : 3
Total Mac Address Space Available: 6021

In a MAC flooding attack, an attacker attempts to generate a large number of data frames with different MAC addresses (generated randomly) and send them to the switch (Figure 3). The switch learns every single frame's source address and stores the addresses in the MAC address table until it is full.

Figure 3: An attacker sends a frame with a fake MAC address to SW1 by broadcast.

You can use macof [2], which is preinstalled on Kali Linux, to implement the MAC flooding attack. Simply open the command console and type

macof -e [interface]

to start the attack. Listing 1 generates random MAC addresses and sends them out to the interface.

root@kali:~# macof -e eth1
e3:8b:88:3:b4:cd d8:25:98:35:61:87 0.0.0.0.9537 > 0.0.0.0.18576: S 1905213613:1905213613(0) win 512
91:33:3b:3:a0:f5 d6:11:53:f:5e:c8 0.0.0.0.8066 > 0.0.0.0.49105: S 428779274:428779274(0) win 512
c4:27:40:74:3d:11 b9:a5:d3:1d:e:bf 0.0.0.0.8772 > 0.0.0.0.42343: S 1206065071:1206065071(0) win 512
9a:d7:d9:6a:fd:ee 9b:e8:7:15:e4:1d 0.0.0.0.44381 > 0.0.0.0.7072: S 352131538:352131538(0) win 512
42:33:77:69:9b:65 ef:3b:4c:19:e2:bd 0.0.0.0.24920 > 0.0.0.0.19837: S 1039619585:1039619585(0) win 512
a:60:b2:3d:fc:af d3:7c:5b:36:4a:61 0.0.0.0.17578 > 0.0.0.0.4432: S 727135709:727135709(0) win 512
18:75:26:4c:a8:23 10:81:2a:12:e1:be 0.0.0.0.42271 > 0.0.0.0.61161: S 1071867223:1071867223(0) win 512
98:15:eb:38:f3:c1 c8:d7:c1:61:be:a3 0.0.0.0.30693 > 0.0.0.0.57646: S 1759104040:1759104040(0) win 512
dc:6d:43:15:be:52 99:19:41:22:4e:36 0.0.0.0.29211 > 0.0.0.0.63665: S 481173385:481173385(0) win 512
42:d5:ac:47:75:fd 2:3c:f5:3a:29:b0 0.0.0.0.14787 > 0.0.0.0.57718: S 1888990933:1888990933(0) win 512
4d:ed:18:48:f0:f5 4b:ba:a5:66:ef:ee 0.0.0.0.54900 > 0.0.0.0.37268: S 397896255:397896255(0) win 512
<--Output Omitted-->

If you check the MAC address table count after a few seconds, you will find that all available spaces are filled by the fake records. As I mentioned before, MAC records will be deleted after 300 seconds. Consequently, the attacker may keep the program running by sending the fake MAC addresses to the network to ensure that all available switch spaces are filled up with the fake records:

SW#show mac address-table count
Mac Entries for Vlan 1:
---------------------------
Dynamic Address Count  : 6024
Static  Address Count  : 0
Total Mac Addresses    : 6024
Total Mac Address Space Available: 0

After all correct records are timed out and the table is full of fake records, the attacker can capture the network broadcast traffic with sniffing software using a tool such as Wireshark.

MAC Spoofing

In MAC spoofing, the attacker sends a frame with the same source address as another device on the network instead of sending a random MAC address. The attacker sends out the frames with spoofed source MAC addresses frequently, say more than 10 frames per second, to ensure always winning the MAC address table completion. All the frames that should be sent to the victim will then go to the attacker, because the network switches have the wrong records in their MAC address tables (Figure 4).

Figure 4: The MAC address table is overwritten by the fake record so that all traffic with destination address ABCD.EF00.0001 will go to the attacker's port.

The Ettercap [3] utility, also available on Kali Linux, is often used to launch a MAC spoofing attack. First, you launch Ettercap (Figure 5). Next, select Sniff | Unified Sniffing to identify the attack interface (Figure 6), followed by Hosts | Scan to scan for hosts. Then, choose Hosts | Hosts to see all the hosts attached to the network. Finally, select Mitm | Port Stealing to start the attack (Figure 7).

Figure 5: Starting up Ettercap.

Figure 6: Selecting the attack interface.

Figure 7: Launching the attack.